Trojan Loader Infiltrates Google Play Using GitHub and Firebase

By Ava McKinneyOnline Safety

Trojan Loader Infiltrates Google Play Disguised via GitHub and Firebase

Security researchers have discovered nine apps on Google Play containing the Clast82 loader, which downloads the AlienBot and mRAT trojans. The attackers managed to bypass the app store’s security mechanisms using several tricks, including leveraging GitHub repositories and the Firebase cloud service. Once Google was informed of this new threat, the infected apps were promptly removed from the store.

How Clast82 Evaded Detection

According to an analysis by Check Point Software, Clast82 was embedded into legitimate apps and could hide its malicious behavior during Google Play’s review process. This was achieved through a parameter sent in a configuration file from a C2 server, which the loader accessed via Firebase. If the parameter was set to false, the loader would not perform its main function. Once the infected app was published in the store, the parameter would switch to true, giving the green light to download the target APK from a specified link.

The malicious payload itself was hosted on GitHub. If the Android device had the “install from unknown sources” option disabled, Clast82 would display a fake Google Play Services message every five minutes, trying to convince the victim to enable installation from unknown sources.

Final Targets: AlienBot and mRAT

The ultimate goal of the Clast82 operators was to download and launch either the mRAT spyware or the AlienBot banking trojan. AlienBot not only steals login credentials and 2FA codes from financial apps but also enables remote access to the Android device, which attackers can use, for example, to launch TeamViewer. During testing, analysts identified over 100 unique AlienBot samples delivered via Clast82.

Legitimate Apps Compromised

The Clast82 loader code was found in the following legitimate open-source apps:

  • Cake VPN
  • Pacific VPN
  • eVPN
  • BeatPlayer
  • QR/Barcode Scanner
  • MAX Music Player
  • tooltipnatorlibrary
  • QRecorder

Notably, for each modification, the attackers created a fake developer account on Google Play and a corresponding repository on GitHub. However, this extra layer of protection was poorly executed: all developer accounts were registered with the same Gmail address.

Response and Removal

Check Point specialists reported their findings to Google on January 28. On February 9, they received confirmation that all Clast82-infected apps had been removed from the Play Store.

Leave a Reply